FOR585: Advanced Smartphone Forensics

As an experienced user of the tools, I found FOR585 very instructional on how and why these tools give the results they do during an examination.

SA Charles Cox, FBI Computer Analysis and Response Team

FOR585 is the best out there.

Andy Nind, British Army

FOR585 Advanced Smartphone Forensics will help you understand:

Where key evidence is located on a smartphone

How the data got onto the smartphone

How to recover deleted mobile device data that forensic tools miss

How to decode evidence stored in third-party applications

How to detect, decompile, and analyze mobile malware and spyware

How to handle locked or encrypted devices, applications, and containers

SMARTPHONES HAVE MINDS OF THEIR OWN.

DON'T MAKE THE MISTAKE OF REPORTING SYSTEM EVIDENCE AS USER ACTIVITY.

IT'S TIME TO GET SMARTER!

A smartphone lands on your desk and you are tasked with determining if the user was at a specific location at a specific date and time. You rely on your forensic tools to dump and parse the data. The tools show location information tying the device to the place of interest. Are you ready to prove the user was at that location? Do you know how to take this further to place the subject at the location of interest at that specific date and time? Tread carefully, because the user may not have done what the tools are showing!

Mobile devices are often a key factor in criminal cases, intrusions, IP theft, security threats, accident reconstruction, and more. Understanding how to leverage the data from the device in a correct manner can make or break your case and your future as an expert. FOR585: Advanced Smartphone Forensics will teach you those skills. Every time the smartphone "thinks" or makes a suggestion, the data are saved. It's easy to get mixed up in what the forensic tools are reporting. Smartphone forensics is more than pressing the "find evidence" button and getting answers. Your team cannot afford to rely solely on the tools in your lab. You have to understand how to use them correctly to guide your investigation, instead of just letting the tool report what it believes happened on the device. It is impossible for commercial tools to parse everything from smartphones and understand how the data were put on the device. Examination and interpretation of the data is your job and this course will provide you and your organization with the capability to find and extract the correct evidence from smartphones with confidence.

This in-depth smartphone forensic course provides examiners and investigators with advanced skills to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features 20 hands-on labs that allow students to analyze different datasets from smart devices and leverage the best forensic tools, methods, and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools. Each lab is designed to teach you a lesson that can be applied to other smartphones. You will gain experience with the different data formats on multiple platforms and learn how the data are stored and encoded on each type of smart device. The labs will open your eyes to what you are missing by relying 100% on your forensic tools.

FOR585 is continuously updated to keep up with the latest malware, smartphone operating systems, third-party applications, and encryption. This intensive six-day course offers the most unique and current instruction on the planet, and it will arm you with mobile device forensic knowledge you can immediately apply to cases you're working on the day you leave the course.

Smartphone technologies are constantly changing, and most forensic professionals are unfamiliar with the data formats for each technology. Take your skills to the next level: it's time for the good guys to get smarter and for the bad guys to know that their texts and apps can and will be used against them!

For multi-course live training events, there will be a set up time from 8:00-9:00am on the first day only to make sure that computers are configured correctly to make the most of class time. All students are strongly encouraged to attend.

Course Syllabus

Overview

Focus: Although smartphone forensic concepts are similar to those of digital forensics, smartphone file system structures differ and require specialized decoding skills to correctly interpret the data acquired from the device. On this first course day, students will apply what they know to smartphone forensic handling, device capabilities, acquisition methods, and SQLite database examination and query development. Students will also become familiar with the forensic tools required to complete comprehensive examinations of smartphone data structures. Malware affects a plethora of smartphone devices. This section will examine various types of malware, how it exists on smartphones, and how to identify and analyze it. Most commercial smartphone tools help you identify malware, but none of them will allow you to tear down the malware to the level we cover in class. Up to five labs will be conducted on this first day alone!

All examiners today have to address the existence of malware on smartphones. Often the only questions relating to an investigation may be whether a given smartphone was compromised, how, and what can be done to fix it. It is important for examiners to understand malware and how to identify its existence on the smartphone.

Smartphones will be introduced and defined to set our expectations for what we can recover using digital forensic methodologies. We review the properties of Flash memory in mobile devices and demonstrate the pros and cons from a forensic perspective. We provide approaches for dealing with common challenges such as encryption, passwords, and damaged devices. Students will learn how to process and decode data on mobile devices from a forensic perspective, then learn tactics to recover information that even forensic tools may not always be able to retrieve.

The SIFT Workstation has been specifically loaded with a set of smartphone forensic tools that will be your primary toolkit and working environment for the week.

FOR585.2: Android Forensics

Overview

Focus: Android devices are among the most widely used smartphones in the world, which means they will surely be part of an investigation that will come across your desk. Android devices contain substantial amounts of data that can be decoded and interpreted into useful information. However, without honing the appropriate skills for bypassing locked Androids and correctly interpreting the data stored on them, you will be unprepared for the rapidly evolving world of smartphone forensics.

Digital forensic examiners must understand the file system structures of Android devices and how they store data in order to extract and interpret the information they contain. On this course day we will delve into the file system layout on Android devices and discuss common areas containing files of evidentiary value. Traces of user activities on Android devices are covered, as is recovery of deleted data residing in SQLite records and raw data files.

During hands-on exercises, you will use smartphone forensic tools to extract, decode, and analyze a wide variety of information from Android devices. You will use your SQLite examination skills, taught in the first course section, to draft queries to parse information that the commercial tools cannot support.

Manually decode and interpret data recovered from a physical dump of an Android device

CPE/CMU Credits: 6

Topics

Android Forensic Overview

Android Architecture and Components

NAND Flash Memory in Android Devices

Android File System Overview

Handling Locked Android Devices

Security Options on Android

Methods for Bypassing Locked Android Devices

Demonstration of Bypassing Android Security and Encryption

Practical Tips for Accessing Locked Android Devices

Android File System Structures

Defining Data Structure Layout

Physical

File System

Logical

Data Storage Formats

Parsing and Carving Data

Physical and Logical Keyword Searches

Android Evidentiary Locations

Primary Evidentiary Locations

Unique File Recovery

Parsing SQLite Database Files

Manual Decoding of Android Data

Traces of User Activity on Android Devices

How Android Applications Store Data

Deep Dive into Data Structures on Android Smartphones

SMS/MMS

Calls, Contacts, and Calendar

E-mail and Web Browsing

Location Information

Third-Party Applications

Salvaging Deleted SQLite Records

Salvaging Deleted Data from Raw Images on Android Devices

Bonus Materials

Android Cheat Sheet

Android Acquisition Methods

Relevant White Papers and Guides

FOR585.3: Android Backups and iOS Device Forensics

Overview

Focus: Android backups can be created for forensic analysis or by a user. Smartphone examiners need to understanding the file structures and how to parse these data. Apple iOS devices contain substantial amounts of data (including deleted records) that can be decoded and interpreted into useful information. Proper handling and parsing skills are needed for bypassing locked iOS devices and correctly interpreting the data. Without iOS instruction, you will be unprepared to deal with the iOS device that will likely be a major component in a forensic investigation.

Digital forensic examiners must understand the file system structures and data layouts of Apple iOS devices in order to extract and interpret the information they contain. To learn how to do this, we delve into the file system layout on iOS devices and discuss common areas containing files of evidentiary value. Encryption, decryption, file parsing, and traces of user activities are covered in detail.

During hands-on exercises, students will use smartphone forensic tools and methods to extract and analyze a wide variety of information from Android backups and iOS devices. Students will also be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools.

Exercises

Examine and decode data from an Android backup

Manually decode and extract information from iOS file system and logical acquisitions

FOR585.4: iOS Backups, Windows, and BlackBerry 10 Forensics

Overview

Focus: iOS backups are extremely common and are found in the cloud and on hard drives. Not only do users create backups, we often find that our best data can be derived from creating an iOS backup for forensic investigation. We realize that not everyone examines BlackBerry and Windows Phone devices, which is why we are focusing primarily on BlackBerry 10, Windows Phone 8 and 10 and application usage. Both the Windows Phone and BlackBerry 10 sections highlight pieces of evidence that can be found on multiple smartphones. BlackBerry smartphones are designed to protect user privacy, but techniques taught on this course day will enable the investigator to go beyond what the tools decode and manually recover data residing in database files of BlackBerry device file systems. The day ends with the students challenging themselves using tools and methods learned throughout the week to recover user data from a wiped Windows Phone before embarking on a BlackBerry 10 lab that covers tying SIM cards and application usage to a device.

iOS backup files are commonly part of digital forensic investigations. This course day provides students with a deep understanding of backup file contents, manual decoding, and parsing and cracking of encrypted backup file images.

Forensic examiners must understand the concept of interpreting and analyzing the information on a variety of smartphones, as well as the limitations of existing methods for extracting data from these devices. This course day covers how to handle encryption issues, Windows Phone artifacts, BlackBerry Enterprise Server data, and locked devices. Manual decoding of Windows Phone and BlackBerry 10 data will provide access to a vast amount of data that forensic tools seem to miss.

During hands-on exercises, students will use smartphone forensic tools and other methods to extract and analyze a wide variety of information from iOS backups, Windows Phones, and BlackBerry 10 devices. Students will be required to manually decode data that were wiped, encrypted, or deleted, or that are unrecoverable using smartphone forensic tools.

FOR585.5: Third-Party Application and Knock-Off Forensics

Overview

Focus: This day starts with third-party applications across all smartphones and is designed to teach students how to leverage third-party application data and preference files to support an investigation. The rest of the day focuses heavily on secure chat applications, recovering deleted application data and attachments, mobile browser artifacts, and knock-off phone forensics. The skills learned in this section will provide you with advanced methods for decoding data stored in third-party applications across all smartphones. We will show you what the commercial tools miss and teach you how to recover these artifacts yourself.

During hands-on exercises, students will use smartphone forensic tools to extract and analyze third-party application files of interest and then have to manually dig and recover data that are missed. Students will be required to manually decode data that were deleted or are unrecoverable using smartphone forensic tools and custom SQLite queries that they write themselves. The hands-on exercises will be a compilation of everything you have learned up until now in the course and will require the manual decoding of third-party application data from multiple smartphones. The knock-off forensics lab will be a mini-lab to test your knowledge on handling devices that may appear on your desk for examination. At the culmination of this section, you will have proven to yourself that you have the skill set to recover artifacts that the forensic tools cannot recover.

Exercises

Advanced third-party application exercise requiring students to use skills learned during the first four days of the course to manually decode communications stored in third-party application files across multiple smartphones

Recover attachments using an exercise that requires students to write more complex SQL queries to recover attachments from the smartphone

Recover deleted data from Chat applications using an exercise challenging students to develop techniques to locate and recover deleted content

Browser analysis exercise requiring students to manually examine third-party browser activity that the commercial tools may not parse

FOR585.6: Smartphone Forensic Capstone Exercise

Overview

Focus: This final course day will test all that you have learned during the course. Working in small groups, students will examine three smartphone devices and solve a scenario relating to a real-world smartphone forensic investigation. Each group will independently analyze the three smartphones, manually decode data, answer specific questions, form an investigation hypothesis, develop a report, and present findings.

By requiring student groups to present their findings to the class, this capstone exercise will test your understanding of the techniques taught during the week. The findings should be technical and include manual recovery steps and the thought process behind the investigative steps. An executive summary of findings is also expected.

Exercises

Each group will be asked to answer the key questions listed below during the capstone exercise, just as they would during a real-world digital investigation:

Identification and Scoping

What is the criminal operation?

What devices are involved?

Which individuals are involved?

Forensic Examination

What were the key communications between individuals?

What methods were used to secure the communication?

Were any of the mobile devices compromised by malware?

Forensic Reconstruction

What is the motive?

In addition, students will be required to generate a forensic report.

CPE/CMU Credits: 6

Additional Information

Laptop Required

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE INSTRUCTIONS!!

Before coming to class, carefully read and follow these instructions precisely.

Each student participating in this course needs a properly configured 64-bit system. Before coming to class, carefully read and follow these instructions exactly. As your core operating system, you can use any 64-bit version of Windows, MAC OSX, or Linux that can also install and run VMware virtualization products.

It is critical that your CPU and operating system support 64 bits so that our 64-bit guest virtual machine will run on your laptop. VMware provides a free tool that will detect whether your host supports 64-bit guest virtual machines. For further troubleshooting, this Microsoft Support article provides instructions for Windows users to learn more about the CPU and OS capabilities. For Macs, please use this support page from Apple to determine 64-bit capability.

Please download and install VMware Workstation 12.0, VMware Fusion 8.0, or VMware Player 12.0 on your system prior to beginning the class. (Note: This is required to prevent issues with USB 3.0 ports.) If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Hardware Requirements

CPU: A 64-bit Intel® x64 2.0+ GHz processor or higher-based system is mandatory for this course. (Important - Please read: a 64-bit system processor is mandatory)

Students must have the capability to have Local Administrator Access within their host operating system

Mandatory Software Requirements

Host operating system: Fully patched and updated Windows (7+), Mac OSX (10.10+), or recent version of Linux operating system (released 2014 or later) that also can install and run VMware virtualization products (VMware Workstation, VMware Fusion, or VMware Player). Please note: It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices. Those who use a Linux host must also be able to access ExFAT partitions using the appropriate kernel or FUSE modules.

Bring the proper system hardware (64 bit/8 GB RAM) and operating system configuration.

Install VMware (Workstation, Player, or Fusion, MS Office and 7Zip.

Bring a mouse if it's going to help you navigate your evidence.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Who Should Attend

FOR585 is designed for students who are both new to and experienced with smartphone and mobile device forensics. The course provides the core knowledge and hands-on skills that a digital forensic investigator needs to process smartphones and other mobile devices. The course is a must for:

Experienced digital forensic examiners who want to extend their knowledge and experience to forensic analysis of mobile devices, especially smartphones

Media exploitation analysts who need to master Tactical Exploitation or Document and Media Exploitation operations on smartphones and mobile devices by learning how individuals used their smartphones, who they communicated with, and what files they accessed

Prerequisites

There is no prerequisite for this course, but a basic understanding of digital forensic file structures and terminology will help the student grasp topics that are more advanced. Previous training in mobile device forensic acquisition is also useful, but not required.

What You Will Receive

Smartphone Analysis Windows SIFT Workstation

A SIFT Windows virtual machine (Smartphone Version) is used with all hands-on exercises to teach students how to examine and investigate information on smartphones. The SIFT virtual machine design for this course contains free and open-source tools, easily matching any modern forensic tool suite

FOR585: Advanced Smartphone Forensics Will Prepare You And Your Team To:

Reconstruct events surrounding a crime using information from smartphones, including timeline development and link analysis (e.g., who communicated with whom, where, and when)

Understand how smartphone file systems store data, how they differ, and how the evidence will be stored on each device

Interpret file systems on smartphones and locate information that is not generally accessible to users

Identify how the evidence got onto the mobile device - we'll teach you how to know if the user created the data, which will help you avoid the critical mistake of reporting false evidence obtained from tools

Apply the knowledge you acquire during the course to conduct a full-day smartphone capstone event involving multiple devices and modeled after real-world smartphone investigations

Hands-On Training & Labs

FOR585 features 20 hands-on labs and a final forensic challenge to ensure that students not only learn the material, but can also execute techniques to manually recover data. Some labs are "choose your own adventure" to enable students who may need to focus on a specific device to select relevant labs and go back to the others as time permits. The labs cover the following topics:

Malware and Spyware - Two labs are designed to teach students how to manually decompact and statically analyze malware recovered from an Android device. The processes used here reach beyond commercial forensic kits and methods.

JTAG Password Cracking - This lab shows students how to load images acquired using JTAG methods and how to crack the lockcode on the device.

Android Analysis - Three labs are designed to teach students how to manually crack into locked devices, carve for deleted data, validate tool results, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. Open-source methods are utilized and highlighted where possible. An additional lab teaches students how to manually crack lockcodes from Android devices.

iOS Analysis - Two labs are designed to teach students how to manually carve for deleted data, validate tool results, and parse third-party application files for user-created data not commonly parsed by commercial forensic tools. In addition, methods for "tricking" your tools into parsing data from encrypted images are built into the labs.

Backup File Analysis - Three labs are designed to teach students how to parse data from iOS and Android backup files. These labs will drive students to parse data from databases, plists, and third-party application data.

Windows Phone Analysis - This is one of the most challenging labs for students, as the device was wiped prior to acquisition. Test all of the methods you learned during the course to see what can really be recovered from a wiped Windows Phone.

BlackBerry 10 Analysis - This all-encompassing lab provides students with a chance to tie external media (SIM cards) to a device, understand how data are manually carved and parsed, and how BlackBerry 10 applications differ from Android and iOS. The methods used in this lab will apply to other smartphones that contain SIM cards and leverage-third party applications (Android, Windows Phone, Nokia, etc.)

Third-Party Application Analysis and Knock-off Phone Analysis - These labs challenge students to examine third-party applications pulled from multiple smartphone devices, and to handle knock-off devices that are not commonly parsed by commercial tools.

Parsing Application Databases - Three labs are designed to challenge students to write SQL queries to parse tables of interest, recover attachments associated with chats, recover deleted chats, and recover data from secure chat applications. These labs will challenge students beyond what a commercial tool can offer.

Browser Analysis - This lab is focused on showing similarities and differences between computer and mobile browser artifacts. Your commercial tools may be good at parsing some evidence, but this lab will highlight what is missed!

Smartphone Forensic Capstone - The final challenge tests all that students have learned in the course. It features multiple smartphone devices used in various locations involving communication, third-party applications, Internet history, cloud and network activity, shared data, and more. The exercise encourages students to dig deep and showcase what they learned in FOR585 so that they can immediately apply it to their work when returning to their jobs.

Quotes from Former Students

"Simply brilliant! The best SANS course I have ever taken, excellently developed and expertly delivered. " - R. Pittman, NASA

"Great class to take in conjunction with SANS 408/508. I'm better prepared to do my job as a Forensic Analyst. " - B. Kelley, US Army

"I have been working on phones for 3 years & have learned so many valuable things that I would not have through normal job experience. " - J. Sikorski, 4Discovery

"Best hands-on mobile device training." - S. Surzyn, GM

"This is the best cell phone course that I have ever taken. I love that the course is vendor neutral and teaches many different skills. " - A. Bedford, NC DOJ

"This is the most advanced mobile device training that I know of and is greatly needed. It is currently the only course being taught at this level!" - Scott McNamee, DoS/CACI

"As an experienced user of the tools, I found FOR585 very instructional on how and why these tools give the results they do during an examination." - Charles Cox, FBI Computer Analysis and Response Team

"FOR585 is the best out there." - Andy Nind, British Army

"This course is worth it, even for a novice like myself." - S. Gentry, Adobe

"This course was very high-quality training that provided exactly what was advertised!....Great BlackBerry lab. I have never dug this deep in a BlackBerry before." - C. McCollom, Clark County Sheriff's Office

"I finally know what I have been missing! I did not know I was ignorant." - Mark G., Department of Justice

"If I could afford it I would take this course every year. I am sure I would learn new things as the course evolves to new technology." - Jim Stapleton, student

"I have been working with phones since 2009, and [instructor] Heather [Mahalik] very casually showed me how much I don't know. Excellent!" - Harbin Combee, MPDC

Statements From Our Authors

"Digital forensic investigations almost always involve a smartphone or mobile device. Often the smartphone is the only form of digital evidence relating to the investigation and is the most personal device a person owns! Let's be honest: how many people share their smartphones like they do computers? Not many. Knowing how to recover all of the data residing on the smartphone is now an expectation in our field, and examiners must understand the fundamentals of smartphone handling, data recovery, accessing locked devices, and manually recovering data hiding in the background on the device. FOR585: Advanced Smartphone Forensics provides this required knowledge to beginners in mobile device forensics and to mobile device experts. This course has something to offer everyone! There is nothing out there that competes with this course and associated GIAC certification." - Heather Mahalik

"One thing is clear no matter whether you work in law enforcement or the private sector: the importance of evidence obtained from smartphones and other mobile devices has become crucial to all kinds of investigations. Solid foundational knowledge, skills, and techniques in mobile device forensics are no longer optional. Developed by passionate practitioners with a high level of experience in the field, FOR585: Advanced Smartphone Forensics provides the elements you need to succeed in your investigations and thrive in the rapidly changing mobile device forensics environment." - Cindy Murphy

"Eighty-five percent of the world's population today has a mobile phone. In the United States alone, almost half of these devices are smartphones. The tools and techniques for acquiring and analyzing these devices are changing every day. As the handsets become more sophisticated in the storage and obfuscation of personal user data, the tools and practitioners are in a race to uncover data related to investigations. The concepts covered in FOR585: Advanced Smartphone Forensics will not only highlight some of the best tools available for acquiring and analyzing the smart devices on the market today, they will also provide examiners with best practices and techniques for delving deeper into smart devices as new applications and challenges arise. FOR585 keeps students ahead of the curve!" - Domenica Crognale

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.